+ All Categories
Home > Documents > CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

Date post: 12-Jan-2016
Category:
Upload: adam-shepherd
View: 221 times
Download: 2 times
Share this document with a friend
22
CIT 384: Network Administration Slide #1 CIT 384: Network Administration VPNs
Transcript
Page 1: CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network Administration Slide #1

CIT 384: Network Administration

VPNs

Page 2: CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network Administration Slide #2

Topics

1. VPNs

2. Tunneling

3. ssh

4. SSL

5. IPsec

6. L2TP

Page 3: CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network Administration Slide #3

VPNs

VPNs try to provide leased line featuresPrivacy: preventing unauthorized people from

being able to read VPN traffic.

Authentication: verifying that sender of VPN is an authorized device.

Integrity: verifying data is not changed in transit.

using a public network at lower cost.

Page 4: CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network Administration Slide #4

VPN Example1. PC1 sends IP packet to S12. Router encapsulates IP in VPN+IP headers3. No one can read packet in the middle4. ASA-1 checks security and de-encapsulates.5. S1 receives IP packet from PC1.

Page 5: CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network Administration Slide #5

VPN TypesRemote Access: individual user to network.Intranet: connect networks of two sites.Extranet: connect networks of two partnering organizations.

Page 6: CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network Administration Slide #6

TunnelingTunneling: Encapsulation of one network protocol in another protocol– Carrier Protocol: protocol used by network

through which the information is travelling– Encapsulating Protocol: protocol (GRE, IPsec,

L2TP) that is wrapped around original data– Passenger Protocol: protocol carries original data

Page 7: CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network Administration Slide #7

Tunneling Protocols by Layer

Application

Transport

Network

Data Link

ssh, SSL

IPsec

L2TP, MPLS

Page 8: CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network Administration Slide #8

ssh

Secure Shell

Replacestelnet

ftp

rlogin

rsh

rcp

Page 9: CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network Administration Slide #9

SSH Security Features

Page 10: CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network Administration Slide #10

ssh tunneling.Use ssh tunneling to encrypt TCP connections

ssh –L lport:rhost:rport rhost

– Carrier Protocol: IP

– Encapsulating Protocol: ssh

– Passenger Protocol: TCP on a specific port

Page 11: CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network Administration Slide #11

SSL/TLS

Secure Sockets Layer– Commonly used to encrypt web connections.– Also used for IMAP, LDAP, POP, etc.– Transport Layer Security supersedes SSLv3

Can be used to create tunnels– Configure similarly to ssh tunnels.– Stunnel is open source SSL tunnel software.

Page 12: CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network Administration Slide #12

IPsec

IPsec includes three major protocols– Internet Key Exchange (IKE) Provides a

framework for negotiating security parameters.– Encapsulating Security Payload (ESP)

Provides a framework for encrypting, authenticating, and securing data.

– Authentication Header (AH) provides a framework for authenticating and securing data.

Page 13: CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network Administration Slide #13

IPsec General Operation

To communicate with IPsec, devices must– Agree on a set of security protocols.– Agree on an encryption algorithm.– Exchange cryptographic keys.– Use above to encode and decode data.

Page 14: CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network Administration Slide #14

IPsec Packet EncapsulationTransport Mode

– Original IP header of packet that is being encrypted is used to transport the packet.

– ESP or AH header inserted btw IP header and payload.Tunnel Mode

– New IP header is added in front of ESP/AH header. This header contains IP addresses of the two IP peers as source + destination.

Page 15: CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network Administration Slide #15

IKE

IKE handles– Negotiating protocol parameters– Exchanging public keys– Authenticating both sides– Managing keys after exchange

IKE is a UDP-based protocol.

Page 16: CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network Administration Slide #16

ESP

Encapsulates IP packet to provide– Authentication– Encryption– Integrity validation– Anti-replay

IP protocol 50, described in RFC 2406

Page 17: CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network Administration Slide #17

AH

Authentication Header provides auth + integrity– Uses keyed hash algorithm as checksum.

– Unlike CRC, cannot be reproduced w/o key.

– Also protects against replay attacks.

– Does not encrypt packet contents.

Page 18: CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network Administration Slide #18

NAT Transparency

PAT can’t change encrypted transport header.

Solution: add an extra UDP header.

Page 19: CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network Administration Slide #19

GRE

Generic Routing Encapsulating– Cisco IP tunneling protocol.– Allows use of multicast protocols.– Combine with IPsec to allow routing

information to be passed btw networks.

IP protocol 47

Page 20: CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network Administration Slide #20

L2TP• Open successor to

– L2F (Cisco)– PPTP (MS)

• Layer 2 tunnel so it supports any layer 3 protocols.– Encapsulates in UDP datagram to port 1701

• Does not provide encryption or authentication.• Use with IPsec

Page 21: CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network Administration Slide #21

Key PointsTunneling

– Carrier Protocol– Encapsulating Protocol– Passenger Protocol

VPNs– layer 4: ssh, SSL– layer 3: IPsec– layer 2: L2TP

IPsec– ESP– AH– IKE– Tunnel mode vs transport mode

Page 22: CIT 384: Network AdministrationSlide #1 CIT 384: Network Administration VPNs.

CIT 384: Network Administration Slide #22

References1. Daniel J. Barrett, Robert G. Byrnes, Richard E. Silverman, SSH, The

Secure Shell, 2nd edition, O’Reilly, 2005.2. Vijay Bollapragda, IPsec VPN Design, Cisco Press, 2005.3. James Boney, Cisco IOS in a Nutshell, 2nd edition, O’Reilly, 2005. 4. Cisco, Cisco Connection Documentation,

http://www.cisco.com/univercd/home/home.htm5. Cisco, Internetworking Basics,

http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/introint.htm

6. Saadat Malik, Network Security Principles and Practices, Cisco Press, 2002.

7. Wendell Odom, CCNA Official Exam Certification Library, 3rd edition, Cisco Press, 2007.


Recommended